Posts

Pokemon Go is a Security Game?

No Pokemon Go
While the news coverage has trailed off, the Pokemon Go phenomenon continues as kids and adults continue to play, and the game expands to new locations.

Also in the news, but with less coverage, was the security hole that gave the companies behind Pokemon Go completely unfettered access to users’ Google Apps and Gmail accounts.  This access was not just to read your contacts so you can “share”, Pokemon Go had full read/write access to all user data.

In a short but sobering report, our friends at CloudLock assess and quantify the risk posed by Pokemon Go. Click here to access the report; it serves as a great example of the risks posed by 3rd party apps.


Contact us if you want to learn more about protecting Google Apps from 3rd party app risks.

 

Not Using Google Drive? You Are Not Alone

google-drive-icon
CIO Magazine recently published a report claiming that 80% of Google for Work customers with more than 1,000 users are not utilizing Google Drive. The statistic is based on whether or not users worked with Drive at least once per month. This is disappointing given that studies show the powerful benefits realized when the collaborative features of Drive are fully utilized.

While the report does not discuss why Drive adoption is low, we have our suspicions.

Peer-to-peer file services do not scale — not without some help

In Drive (and oneDrive and other cloud file services), users create their own folders and share them with individual and teams. Each user “owns” their space and their files and to find a file, it helps to know who shared it with you. And, without central management, naming conventions, and other controls, it is difficult to control and manage access to sensitive information.  While these file services are not as challenging as Windows for Workgroups (circa 1992), they come pretty darn close.  Users familiar with a central file structure are easily frustrated with peer-to-peer sharing and file services.

“Security” is confused with “Sharing”

Yes, Google recently announced that Ernst & Young has verified the ISO 27018 cloud privacy standard for Google Drive. But when users think of security, they are concerned about sharing — or permissions — of their files. In any cloud file service, it can be difficult to fully understand who will have access to the file you are creating or uploading.  And, the nuances of Google Drive can take time to learn.

For example, when sharing a link for a Google Doc with a person that does not currently have permissions, you are prompted to allow anybody with the link to view (or comment, or edit) the document. If your intended recipient forwards the message, access is available to others outside your original intention.

In Drive, and other similar services, the relationship between exposure (who can see, view, edit the file with or without credentials) and explicit access permissions has a learning curve that is often overlooked.  People will avoid using Drive if they are worried about exposure and permissions.

The rules are a bit different

Google Drive is more flexible, and in many respects more powerful, than traditional Windows and Linux file shares. This power, however, can be distracting to end users. Having multiple documents with identical names in a folder, for example, throws many for a loop. It’s not intuitive given their experience and it can create confusion as to which document is correct or current.

Using Drive and other cloud file services is different, but you can take steps to ease the transition and improve adoption.

Train Your Users: 

Beyond the basic “clicks and drags” of Google Drive, help your users learn and understand how to use Drive effectively. Cover permission settings so they understand how to share safely and with confidence. Discuss document naming and version management, including how to upload new versions of documents without creating duplicates. Help them learn now to navigate drive, use the search bar effectively, and launch applications from within the web interface.

Create a Managed File Service:

With an affordable add-on, you can overlay a more traditional file server structure onto Google Drive. Tools like AODocs File Server, you can add the aspects of a traditional file server to Drive:

  • Central ownership and control of space, top level folders, and folder hierarchies
  • Distributed access and permissions from a central authority
  • Conversion of personal to central ownership of files uploaded to, or created, within centrally managed libraries
  • Inherited permissions
  • Audit trails

Yes, there is a cost, but the value for many companies is much greater.

Manage Your Permissions:

Permissions are not just about user settings.  Permissions should — and can — be driven by your privacy needs and the content of your documents. Tools like BetterCloud and CloudLock give you the ability to monitor and manage user access and permissions based on business rules and content as it is created or uploaded. Analysis for HIPAA, PHI, PCI, and other compliance requirements is built-in, with the ability to create customized rules for your specific needs.

 

With the right tools, and a knowledgeable workforce, you and your team will better adopt and utilize Drive.  And with adoption, comes results.


Please Contact Us if you would like information about any of the services mentioned in this post.


 

Assessing Your Google Apps Security Threats

accept button
The power of Google Apps comes from the variety and scope of its collaboration features.  Unfortunately, the same tools we use to share and to work more efficiently can be used against us. When users set permissions, they may accidentally (or intentionally) over-share, resulting in data leaks, disclosures, policy breaches, and regulatory violations.

With the easy to select and connect 3rd party mobile and web apps to your Google accounts in just a few click, employees can easily and unintentionally grant access to non-trustworthy apps.

How do you protect your users from threats they do not know exist?

Assessing and managing information security within Google Apps warrants a multi-faceted approach.

  1. Education. Make sure employees understand your organization’s privacy and security policies, and any regulations and laws you must follow.
  2. Education. Make sure your users understand the basics of how permissions work within Google Drive and Sites, and how to use settings to comply with policies.
  3. Education. Make sure employees know that 3rd party apps can be dangerous and cause problems.

Beyond Education, many organizations look to deploy data protection and security solutions that support policies, that monitor the Google Apps environment for risks and violations, and that can respond and remediate potential data sharing violations.

Before you invest, however, understand your risk.  By reviewing Drive content and permissions and analyzing the inventory of 3rd party apps accessing your Google Apps domain, you can best assess if and when additional security and administrative tools are warranted.  While this can be time-consuming, tools and services exist that can automate the process of gathering and analyzing Google Apps security threat information.

Through September 30, 2014, Cumulus Global is partnering with CloudLock, the Google Apps collaboration security company, to offer a comprehensive Google Apps Security Health Check, which will analyze both Drive content and the risk from 3rd party mobile and web apps.  Normally a service costing $1,000 to $5,000, we are offering the assessment for $300 or less.

Click Here for more information and/or to speak with a Cloud Advisor.

 

Cumulus Global Offers Solutions and Seminars at FETC 2014

FETC-2014Visitors to FETC in 2014  in Orlando later this month have a unique opportunity to learn how Google Apps for Education can serve as platform for robust administrative and classroom computing.

Cumulus Global (Booth #256) is hosting a series of in-booth seminars covering a range of topics from system administration, data protection, and security, to 1:1 program design and professional development for faculty.  Cumulus Global is webcasting the sessions as well, for those unable to attend FETC in person.

With more than a dozen sessions, Cumulus Global intends to offer attendees new perspectives on how schools can effectively Deploy solutions, Gear Up with the best devices and infrastructure, and Transform the learning process.

Session presenters include experts from Backupify, Bettercloud, CloudLock, Edsby, and Eduscape Learning.

Click Here for more information, or to register for one or more of the webcasts. Feel free to Contact Us with any questions.

As a featured exhibitor, Cumulus Global is able to offer the following discount codes for FETC 2014 attendees:

  • Register using code FREE974 for your free Exhibit Hall Pass and access to the Learning Labs, a $50 value.
  • Register using code EDUCATE to save $60 on FETC Full Conference Registration.

The 5 Most Trusted & Banned 3rd Party Apps for Google Apps Domains

CloudLock
One of the benefits of Google Apps is the ability to integrate third-party applications.  One of the risks when using Google Apps, is that some third-party applications may request access to information and privileges that you do not want them to have.

In addition to letting you identify, approve, and block third-party application access to Google Apps data, CloudLock Apps Firewall provides a trust rating.  The Trust Rating lets you know what percentage of Apps Firewall users allow or ban each application.

Here are the top five Trusted applications:

  • Google Drive
  • www.google.com
  • Picasa
  • Google Chrome
  • Android Calendar

Here are the top five Banned applications:

  • Mailbox
  • Dropbox
  • 8 Ball Pool
  • Angry Birds
  • Chrysalis Animation

 

Viral Spread of Cloud Creates New Challenges


This blog post is the second in a series on Data Protection issues and practical solutions.

Data Protection SeriesAs discussed in a recent TechRepublic Blog Post, cloud computing vendors are enabling the spread of on-demand software outside the control of the IT Department.

It is easy to see how it happens.  Somebody signs up for a service in order to complete a task that they cannot (or do not know the can) do with their current system.  They share the solution with co-workers, and, before you can say monthly recurring fee, the company must decide if this new tool is a de facto standard and should be included in the formal IT ecosystem.

Aside: On the one hand, shame on the users for not asking first.  On the other hand, shame on IT for not understanding the users’ needs and providing solutions with either current or new technologies.

The challenge becomes managing these services and making sure they are secure.  Beyond deciding who, why, and when services may be used, these services may create real security risks.

In the Google Apps environment, users can install any one of hundreds of third-party applications, many of which request and require access to user data.  While most applications only request and use the access they need, many request permissions that can inadvertently expose critical data such as sensitive documents and contact information.

Solutions

To mitigate these risks, it is important for the IT team to review and evaluate all new applications and companies should have policies through which they can enforce this rule.  In return, the IT team must be held accountable for responsiveness.

In addition, it is wise to monitor your environment for new software.  For you in-house systems, free tools like Spiceworks, will update you with scheduled scans of all systems.

Within your Google Apps ecosystem, Cloudlock App Firewall, provides you with the ability to both monitor and manage which applications are running in your environment.  The App Firewall reports the level of data exposure by application and reports applications added by user and well as by application.  You can mark applications as approved, blocked or not trusted.  You can revoke permissions, effectively disabling applications as well.    The system also provides guidance, letting you know how other companies have rated applications.

Conclusion

While users will continue to look for apps, the IT team can and should be ahead of the curve.  Additional tools, however, can help monitor and manage applications, which will mitigate risk, enforce company policies, and meet regulatory requirements for data protection.

 

For more information about Cloudlock App Firewall, please contact us.

3rd Tues @ 3 Webcast: Protecting Data in Google Apps

 

For those running or considering Google Apps, Google’s highly redundant, multi-tenant infrastructure protects data from nearly all risk of loss or corruption due to hardware or system failure.  Understanding the other risks to our data lets us decide when and how to better protect ourselves.

In this live web event, Allen Falcon, CEO of Cumulus Global, will discuss the business risks and use cases that drive the need for data protection and data loss prevention and will look at practical, affordable solutions.

Joined by experts from Backupify and Cloudlock, Falcon will overview and demonstrate affordable solutions for creating a secure and protected data ecosystem using Google Apps and Google Drive.

And, as always, there will be plenty of time for your questions.

Click Here to Register or for More Information.

 

Cloud Backup/Recovery: The Same, Only Different


This blog post is the second in a series on Data Protection issues and practical solutions.

Data Protection Series

Backup and Restore, the most basic form of data protection, has been a standard IT practice since teams or Operators managed racks and rows of tape drives and tapes for early mainframe computers.  Borrowing from proven audio technologies, tape backups protected programs and data from the fickle failings of early disk drives.

As computers became more interactive, and more personal, the need for backup and restores services expanded.  Yes, your hardware might fail.  More likely, however, an assistant would “save as” over the boss’ most recent masterpiece.  Computers were new, and human error was inevitable.  Then came viruses, poorly written applications, spyware, bots, and the Internet (the ying and yang of all things good and evil).

As we move into the cloud, some of the reasons for backup/restore remain, and some new ones emerge.  

For those of us running Google Apps for Business, Education, and Government, Google’s highly redundant, multi-tenant infrastructure protects us from nearly all risk of data loss or corruption due to hardware or system failure.  Understanding the other risks to our data lets us decide when and how to better protect ourselves.

Third Party Applications

While domain-level access for applications is usually restricted to administrators, users often have the ability to run and connect third party applications to accounts.  Whether global or individual, poorly written third party applications can wreak havoc with your data.  Applications that need write access to docs, email, calendars, or contacts, can overwrite or delete content.  Determining the scope of a problem, and recovery, can be nearly impossible without reviewing all of your data.

User Error

Recent research shows that data loss within Google Apps is due to user error 63% of the time (0% is caused by Google).  As with any new system, unfamiliarity can bring unintended harm.  Ill-placed pastes, mistaken deletions, and save instead of “save as” are some of the ways data may be lost.   Even more complex, mistakes using Manage Revision settings, and permanently deleting items, can make recovery impossible.

Willful Misconduct

Protecting your data from the employee (or soon to be ex-employee) intent on doing harm is nothing new.  In Google Apps, as well as any other system, employees with access to sensitive information often have the ability to damage or destroy that information in ways intended to harm your business.

Security Breach

Google Apps is one of the most secure public cloud services in the world.  Even so, no system is ever completely safe from user identity theft or corrupt systems with access. A mal-ware infected computer running Google Drive can allow damage to data in Google Apps as easily as with a computer connected to a Windows server down the hall.  If a user — knowingly or as a result of social engineering — shares his or her identity, hackers and others can damage your data.

Google Error

While Google has never had errors resulting in permanent data loss, and Google’s systems are designed to withstand multiple points of failure, a very, very small chance still exists that a software or hardware error could corrupt data.

All of these cases are, and have been, reasons to run a backup/recovery service.  But at what point do you add backup/recovery to your?  For most, the answer is as simple as the answer to the following question:

If you had this data on a server in your computer room, would you back it up?

If the answer is “Yes”, than you should protect the data where it lives — even in Google Apps.

For others, it is one of critical mass.  When the cloud is considered a secondary data store, some wait for usage to reach a level “significant” enough to warrant the additional cost of backup/recovery services.  Unfortunately for some who “wait and see”, the significance is often measured by the pain of a data loss event.

—–

Read more

Tuesday Take-Away: 6 Ways to Protect IP within Google Apps

While some remain suspect of security and privacy with cloud computing, Google Apps actually offers ways to help protect and preserve a company’s Intellectual Property (“IP”) that are not readily available in traditional, in-house systems.  Why worry about IP? Because as business becomes more electronic, your contracts, agreements, change orders, and work product are more likely to be written, reviewed, updated, and negotiated on-line. Protecting your documents, data, and information means protecting your business.

Let’s Get Technical

Google Apps’ underlying data management is Write Once; Ready Many (aka “WORM”). In other words, once information is saved in Google’s system it cannot be altered.  Unlike MS Exchange or a Windows File Server on which a Domain Administrator can alter any existing content anywhere, once data is saved in Google Apps, it cannot be modified.

Granted, you can reply to an email and modify the embedded copy of the original message. But, the original message is still saved as it was received.  Similarly, you can open a Google Doc and modify the content, but the revision history is there and you can go back to a prior versions.

The big risk to WORM is the power to delete … but we have a solution for that too.

Here are Six Ways To Protect Your IP with Google Apps:

 

1) Comments in Google Docs

Even if you switch to MS Word for your final formatting, draft your documents in Google Docs using the “Insert Comment” feature.  By keeping editing writes to yourself and giving comments only permission to your associates, you have full control of the document’s contents.  You associates — be they co-workers, a client, or opposing council — have the ability to highlight portions of the document and comment.  Whether they ask questions or suggest alternate wording, you can reply in-kind via comment as you edit the document.

Once final agreement is reached, you can “resolve” the comment.  While it disappears from view, it is part of the permanent history of the document.

Imagine two lawyers discussing and agreeing to the intent of a contract clause.  If an issue were to come up at some point in the future, any discussion of the ‘original intent’ of the clause would be cut short by the comment thread saved at the time.

2) Message Discovery (now); Google Vault (soon)

As noted above, the big risk to IP in Google Docs is deletion.  Google Message Discovery (GMD) available to all Google Apps users,  provide a secure, compliant archive of all inbound, outbound, and internal email messages with retention of up to 10 years.  The service provides search and e-discovery tools as well.

Imagine a client refusing to pay for work that was not “officially authorized”.  With GMD in place, you can produce the email thread discussing the work and providing the authorization.

Google Vault, available to new Google Apps customers now and all Google Apps users in the near future, extends the archiving ability of Google Apps in several ways.   Google Vault recognizes that you IP is not just in email and that your retention needs will vary.  Google Vault lets you:

  • Archive email, instant messages, and documents
  • Provide unlimited retention of archived information
  • Take advantage of the WORM underpinnings of Google Apps to maintain and protect your IP.

3) Google Drive and Docs

In our increasingly electronic world, more work gets done on the go.  By implementing Google Drive, your users have the ability to work locally while synchronizing and saving files automatically in Google Docs.  Beyond providing a convenient way to work — online or offline — Google Drive provides a level of protection for your IP from local hardware issues.  Combined with a backup/recovery strategy (see below), you have even better data protection.

Also, by adding additional space, you can also strategically create a secure file sharing structure where ownership of folders and files mimics traditional file server models.

4) Protected Folders

One way to protect IP is to ensure that final documents are tamper-proof and protected from deletion.  You can prevent critical documents from being editing or deleted by setting up protected folders.  These folders provide defined view permission, but will prevent users from tampering or removing critical information from within Google Docs.

CloudLock is one such service that lets you create protected folders.  In doing so, you can also determine who can add files to these folders, who can view folder content, and which administrative account manages the folders.

5) Backup / Restore

While Google Apps prevents data loss from hardware/software issues and provides version histories, Google Apps cannot prevent user mistakes or acts of malice.  Files not protected from deletion (see above) are vulnerable.  Additionally, you still need to protect against problems that can occur on any file server, such as uploading and sharing virus-infected files.

Given that in users have critical data in each of the Google Apps services, tools like Backupify offer a broad range of protection.  Backupify protects user content in email, calendar, contacts, docs, and sites.

6) Permissions Monitoring

Google Apps makes collaboration easy.  And, while you can restrict users ability to share to some extent, understanding the visibility of IP within and outside your business, and monitoring your documents for changes in exposure is an emerging best practice.

A key element of the CloudLock service are the ability to monitor changes in document permissions, the ability to change document ownership, and the emerging ability to set alerts based on keywords and business rules.

Wrap Up

When moving your data from in-house systems to Google Apps or other cloud services, you want and need to make sure that your data is at least, if not more, secure and private. Just as with in-house systems, you have tools and services available to manage and protect your intellectual property when using cloud solutions.  Google Apps provides a great foundation with an infrastructure designed to protect data with every save.  Integrated, third party tools like CloudLock and Backupify, along with new features in Google Apps itself, provide a manageable, secure, ecosystem.